Privacy Policies: Fact, Fantasy or Fallacy

Food photos. Baby pictures. Details of pregnancies, ailments, treatments, and triumphs. These are just a few of the data points that millions of people have shared online. Employees, executives, and their families have ‘friends’ around the world whom they’ve never met, and with whom they blithely share the minutiae of their lives. From a corporate security standpoint, though, the ease of digital communications and the friendly nature of social media often translates into corporate secrets and personal information being divulged by well-intentioned board members, management and staff.

The detailed information that people reveal online is a predictable outcome of decades of being nudged into believing that nobody cares about privacy.

In the years since the Internet came into existence, organizations have waged a sustained messaging campaign reminding us that it is somehow good and proper to give up privacy. For convenience. For public safety. For the sake of our children.

While all of that was going on, privacy practitioners struggled to ensure that personal information was properly safeguarded, and security practitioners were busy assuring businesses that data was protected by software and hardware security measures.

In 1986, Sun Microsystems—a company that sold hardware, software, and was founded to sell low-cost high-performance desktop computers running the UNIX operating system—made its largest single sale of computers to a government agency when the National Security Agency signed an agreement for $500 million worth of Sun equipment. Within six years of starting up, Sun’s annual sales exceeded $1 billion.

Sun was surely a heavy-hitter in a new and influential technology industry. It was also a member of the Online Privacy Alliance, a diverse group of more than 30 global corporations that came together to “introduce and promote business-wide actions that create an environment of trust and foster the protection of individuals’ privacy online.”

At the time of McNealy’s declaration, the director of the Bureau of Consumer Protection at the Federal Trade Commission acknowledged that privacy is a “grave concern” to millions of American consumers. It was also when Sun’s privacy policy assured that the company was “committed to respecting your privacy and recognize your need for appropriate protection and management of personally identifiable information.”

Sun was not alone in offering assurances. Many Online Privacy Alliance members and other companies posted (and continue to post) privacy policies that promise to respect privacy. With that assurance, and with no way to use many platforms without accepting the terms of service in an all-or-nothing Faustian bargain, we click ‘Accept’ every time we log onto a new platform.

Despite the concerns expressed by consumers and companies alike, we have been shamed into posting and sharing intimate details of family events, personal and professional achievements, opinions and interests. We are encouraged to spit into a vial and pay for the privilege to have private companies analyze our genetic make-up, and tell us what we already know. And while we are assured that these organizations respect our privacy, we are seldom cautioned that many of these same service companies have little compunction about sharing results with third parties who might be anywhere in the world.

Anyone bold enough to question the groupthink pressure is treated with disdain, as if their wish to preserve some shred of personal privacy is somehow an affront or threat to everybody else. That makes objectors—the only ones who care about their privacy—different. And in being seen as different, they become a pariah and are pushed to the periphery.

Privacy advocates who recognize the risks to personal information and sound the alarm bells are often dismissed or disbelieved. Like the Greek princess Cassandra, daughter of the King of Troy, privacy professionals have insight and perspective akin to the gift of prophecy, and share Cassandra’s curse when others disregard their warnings.

When those who understand the risks are shunned, sidelined and silenced, it increases the predictable outcome of political and individual ignorance—even as corporations and governments amass detailed databases about each of us.

As one of the world’s wealthiest and most powerful companies, Google has amassed data about billions of people across the globe. The company offers a 2638-word long ‘privacy policy’ with links to the specific privacy practices of 8 other Google products and services “certain Google products and services that you may use”:

There’s more. “By virtue of certain of the Services connecting to the Google Maps API, you hereby agree to be bound by the Google Maps/Google Earth Additional Terms of Service (including the Google Privacy Policy) in connection with your use of such Services”.

In all, the Google privacy policy is 18,338 words. Calculating that a single-spaced page of type using 12-point Arial font contains an average of 470 words, Google’s privacy policies are 39 pages long.

Google is not unique. Many organizations, including some whose business is directed at young people, have similarly lengthy terms and policies.

Strava is a San Francisco-based mobile app that is billed as suitable for 13-year olds. In anticipation of GDPR coming into force in Europe, Strava “improved” its 3927 word-long Privacy Policy and its 779 word-long Terms of Service to make them “even more understandable and transparent”. The first sentence of the privacy policy — which exhorts readers to read the company’s terms of service — is clear that “Your privacy is very important to us.” To read the 7799-word-long terms of service, one must first log on (which, of course, requires having created an account and divulging personal information in the process); and logging on is construed as agreement to the terms and privacy policy.

So, can a 13 year old really understand and exercise appropriate choice? Will they—or their parents— take the time to slog through the fine print? Or will they simply acquiesce with the resignation of knowing that they have no bargaining power, and resisting invites FOMO: the fear of missing out on whatever everyone else is enjoying.

Unless human nature changes, it’s easy to anticipate that most people will feed their desire for acceptance, and be driven by a fear of retribution, by simply clicking I Accept and living with the consequences — that will create even more challenges for privacy and access professionals.